Tag: tutorial

What is WP-Bruiser?

WP-Bruiser, formerly known as “Goodbye Captcha” is a free plugin for WordPress which blocks bot spam in your comment forms. It also has some non-free extensions which integrate with various popular contact forms and other addons to block bot spam in those as well. It does this using a clever token system which bots cannot defeat. This eliminates the need to annoy your users with a “Captcha” and presents a more professional web experience to your visitors. WP-Bruiser also includes some security features which is and what we are going to focus on today.

Installing WP-Bruiser

From your WordPress dashboard you can go to Plugins -> Add New and search for WP-Bruiser. You’ll find it in the standard WordPress plugin repository where you can install and activate it. The WP-Bruiser settings has several tabs at the top of the screen. The first tab, labeled simply “Settigns” is not strictly security related.

Security Tab

This tab offers a number of useful security features. At the top you can see Brute Force settings. For maximum security you should enable all of these. If you want your website to be accessible from anonymous TOR nodes then leave the Anonymoux Proxy IPs option unchecked, but be warned a lot of attacks use the TOR network.

Next you’ll see ‘White Listed IPs’, where you can provide some IP addresses which should never be blocked from the website. This section helpfully tells you your own IP in case you want to add it, but be aware that your IP might change and if it does you’ll want to update this section.

Following that is ‘Black Listed IPs’ which is where you can manually enter IP addresses you would like to ‘ban’ from accessing your site.

WordPress Tab

I recommend enabling all of the options in the WordPress Standard Forms Settings box, the first one you see. This will extend WP-Bruiser to prevent bots from registering accounts, as well as preventing certain kinds of scripted bot behaviors. Chances are you don’t want bots doing anything on your website.

The next section is ‘Tweaking WordPress’. You should enable Hide WordPress Version. Nobody needs to know what version of WordPress you’re using, and hackers will use that information to find vulnerabilities in your site. Next you should enable Remove RSD Header and Remove WLW Header if you don’t explicitly require them. If you aren’t making use of XML-RPC, and most people aren’t, then you should enable both of those options as well.

The next few tabs are specific to various extensions and outside the scope of this tutorial. If you are using any of those plugins I recommend paying for the license to integrate WP-Bruiser’s features with them. I personally use the Contact Form 7 extension on many websites and it has completely eliminated contact form spam.

Notifications Tab

This is a very handy feature. You should configure your E-mail address in the field provided and enable both checkboxes. This will notify you any time an administrator logs into your website, which can inform you if someone has compromised your website. If you operate a site with many people, have everyone use ‘Editor’ level accounts or lower for day to day tasks.

That’s it! WP-Bruiser is a very lightweight plugin and still provides a lot of additional security to a WordPress site, as well as eliminating 100% of bot submissions in your comment and contact forms.

I think it would be best to begin this article with a “buyer beware” section. I am going to describe the various dishonest and unscrupulous business practices which are all too common among website hosting providers. Afterward, I will try to summarize a few positive things to look for in a good hosting provider.

Unlimited Resources

This is the latest popular fraud perpetrated by the hosting marketplace. There is no such thing as “unlimited”. Hosting services are in business to make money, so their profit has to outpace their overhead costs. All hosting incurs overhead costs. The two key factors in determining cost are hardware resources and internet connectivity.

Hardware Resources

Webhosts are computers, just like your personal computer. They have 1 or more CPUs (Central Processing Unit), they have some amount of volatile memory, also known as RAM, usually several gigabytes worth. They have some amount of non-volatile storage, either a Hard Disk Drive or a Solid State Drive. All of these things are limited. Computer motherboards have a maximum number of CPUs, a maximum memory capacity, and any particular server can only handle a certain number of disk drives, each of which has a maximum capacity. There is no such thing as unlimited.

Internet Connectivity

High capacity business internet connections are different from your residential internet connection. They are either billed on the bandwidth they use, or they have a quota that they are given with their monthly payments. This means that they are calculating their bandwidth costs into the prices and their service. They do not ever offer unlimited service. You’ve probably seen some cellular operators have data usage quotas, this is very similar. Unless their service states otherwise, your data bandwidth is tracked. If your website uses more bandwidth than the quota for your hosting plan, they will shut you down or they will bill you extra. Some providers do offer “unmetered” internet service, but you will pay extra for that. You will not get unmetered service on a shared hosting plan, but they might lie to you and say otherwise.

Review: The Unlimited Lie

We’ve learned that a number of factors in server operation include overhead costs and inescapable limitations. Let’s review the resources which can never truly be unlimited. Any time you rent a hosting package, the provider should be willing to clearly define your quotas for these resources. If the provider is unwilling to clearly define your quotas you should rent from a different provider:

CPUs (Central Processing Unit)

Memory (RAM)

Storage (HDD or SDD)

Bandwidth or Transfer

Arbitrary Restrictions

The second most popular dishonest behavior of webhosting companies is to limit things that should be unlimited. While the physical limitations of a server are real, there are certain software features which do not incur any overhead costs, and should not be limited by the hosting provider. For example, the number of E-mail accounts. There is no overhead difference between 1 E-mail account and 1,000 E-mail accounts. Many hosting companies introduce arbitrary limitations on these and other features so they can get you in the door with “cheap” plans and then sell you on upgrades later on. There are a lot of free softwares available to server operators which are easily installed via automatic scripts, and so should be offered as standard features with their service. Anti-Virus is one example.

What features should be unrestricted?

I will list for you the features which do not incur any overhead costs, and should be included as standard features with every hosting package. Keep in mind, there are still physical hardware limitations such as maximum storage capacity, but those limitations should be the only limits placed on these features. If a hosting provider you’re considering wants to charge extra for any of these features you should steer clear.

E-Mail. It should be unlimited and free.

Anti-Virus & Spam Filtering should be free.

Root access should be available on all private hosting plans except shared hosting.

“Domain Validated” SSL Encryption certificates should be free.

Monitoring. If the provider has the infrastructure to offer it, it should be free.

Database service should be free. On private servers, it should be private and free.

Confusing Websites

Show me the money! Why do some hosting providers have 20-page websites with most of the pages not listed on their main menu? They are hiding the details of their service so you’ll make an impulse purchase. I’ve looked at a lot of hosting websites and I’ve seen many great examples of good web design which clearly defines all the quotas and features of each package on a single page, so there’s no legitimate reason why they can’t all do that. They know that’s the information you want. They have obfuscated the information on their websites intentionally, because they know if you could easily compare their service with their competitors, you would choose the competition.

Honest Practices

The Hosting marketplace is very ugly, but it’s not hopeless. There are practices you can look for which are evidence of an honest provider. For example, your hosting provider should clearly define for you any quotas on server resources. If they claim that your memory, storage, or CPU usage are unlimited, then they are lying to you. Every large host who offers those things has been caught lying, when they shut down their customer websites for using too much of their “unlimited” service.

Your hosting provider should provide a Service Level Agreement or SLA. One of the key parts of any legitimate SLA is the guaranteed uptime. This is usually defined like “99.9%”, or “99.99%”. What this means is, if you have a 99.99% SLA your provider guarantees that your server will be operational for 99.99% of the time. That means you will experience no more than 8.6 seconds of downtime per day, or 4 minutes and 23 seconds per month, and so on. These are industry standard terms, and every legitimate provider will offer you an SLA, usually with some sort of compensation for downtime which exceeds the SLA. Compensation may take the form of service credits, discounts, or refunds.

Review: What to look for

It’s time to put what we’ve learned to practical use and select a hosting provider. Here are a list of things to look for in a hosting provider:

Want to save some time?

There are thousands of web hosting companies. It is a very competitive marketplace, and a disturbing number of those companies will resort to any unscrupulous methods to make more money. If you don’t have the time to navigate websites for dozens of companies to compare their services, have a look at my service. I am in this business to provide an honest product at an affordable price. I regularly perform my own market research to ensure my product is equivalent or superior to my competitors, both in features and price. I only offer the highest quality servers, which is important for the needs of a small or medium business. I am not interested in making money by ripping off those ignorant of technology’s finer nuances. You can read more about my services at https://pridetechdesign.com/hosting.

Especially Bad Providers To Avoid

I know some of you are overwhelmed by this process and you’d really like some tips on who the worst providers are so you can avoid them. I’ve compiled a list which should help you. All of these providers have many thousands or millions of customers, so you will hear people say they had positive experiences, but do not be swayed by anecdotal evidence. These providers all have far more negative customer reports than any others in the industry, or they are in some other way very unsuitable choices.

Endurance International Group: The worst. Includes BlueHost, HostGator, many others. Click Here (Wiki Article) for a complete list.

GoDaddy: Also one of the worst. Their website is a mess of upsells which must be navigated to reach the checkout, this is to confuse people into spending more than they should. Their service quality is at the bottom of the marketplace, and their support is incompetent. On many occasions, they’ve deleted customers’ entire websites, to which they respond “Oh well”.

DreamHost: They practice Bait-And-Switch with their VPS product. They suffer massive outages every week. During these outages, they encourage their customers to pay extra for “premium” support, which doesn’t improve their recovery time. They perform disruptive planned system maintenance during business hours, taking customer sites offline for the entire business day for upgrades that could have been performed overnight.

ServerPilot.io & RunCloud.io: Presently these providers only allow you to use Ubuntu, which is a commercial (not free) Linux distribution aimed specifically at the desktop market. It is not a suitable server distribution. Most servers are built using Debian, RedHat, CentOS or Fedora. ServerPilot does not support any of those, which calls their competency into question. ServerPilot and RunCloud are supposedly different companies, but their offering is identical.

Cloudways: They are similar to Server Pilot, but with a lot of negative customer reviews.

SiteGround: These guys are constantly bragging about high customer satisfaction but they only look at percentages and they disregard many thousands of unsatisfied customers. Most of their positive word-of-mouth reviews are spam generated by their website rather than genuine user reports. They use dishonest marketing and sleazy tricks to increase sales and trick users into upgrading to more expensive packages.